Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS03NjQ0LWN4cDgtaDIzcs4AAv0b

ibexa/admin-ui vulnerable to Cross-site Scripting in content type name/shortname

Critical severity. It is possible to inject JavaScript XSS in the content type entries "name" and "short name". To exploit this, one must already have permission to edit content types, which limits it in many cases to people who are already administrators. However, please verify which users have this permission. The fix ensures any injections are escaped.

Permalink: https://github.com/advisories/GHSA-7644-cxp8-h23r
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NjQ0LWN4cDgtaDIzcs4AAv0b
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 11 months ago
Updated: 9 months ago

Identifiers: GHSA-7644-cxp8-h23r
References:

• https://github.com/ibexa/admin-ui/security/advisories/GHSA-7644-cxp8-h23r
• https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips
• https://github.com/advisories/GHSA-7644-cxp8-h23r

Affected Packages